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This report is confidential and is intended for use by the Directors of the ICO only. It forms part of our continuing dialogue with you. It should not be made available, in whole or in part, 
to any third party without our prior written consent. We do not accept responsibility for any reliance that third parties may place upon this report. Any third party relying on this report 
does so entirely at its own risk. We accept no liability to any third party for any loss or damage suffered or costs incurred, arising out of or in connection with the use of this report, 
however such loss or damage is caused. 


It is the responsibility solely of the ICO management to ensure that there are adequate arrangements in place in relation to risk management, governance and control. 
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1 Executive Summary 


1.1 Background Refer to Appendix B for definitions of internal audit opinion and 
Our review considered the ICO's arrangements for monitoring and recommendation ratings. 
implementing recommendations raised from internal audit reviews. 

1.4 Key findings 
Risk / Process 

Evidence of implementation - = 1 = 
Total - - 1 - 


1.2 Scope 

We reviewed the assurances available to the Audit Committee that 
recommendations are being implemented in a timely manner, following up 
recommendations made in 2013-14 and 2014-15. 


1.5 Controls identified 
During our review we confirmed that the following controls have 
e The ICO's arrangements for following up audit recommendations may continued to operate during 2014-15: 

not be adequate resulting in recommendations not being completed on 


time and to a satisfactory standard, with the ICO remaining exposed toe The Senior Corporate Governance Manager maintains a log of 


risks that are deemed to be unacceptable resulting in a lack of comfort outstanding audit recommendations, which is presented to the Audit 
2 N if K > 
for the Audit Committee and senior management that the internal Committee at each meeting for discussion and challenge; 


control framework is operating effectively. 


We focussed on the following sub risk: 


e This log is available on the ICON system, to allow recommendation 
owners to view their outstanding recommendations, and they are 


Purther details on responsibilities, approach and scope are included in reminded individually when updates are needed; 


Ppp e The log shows the due date for implementation of recommendations, 
as well as a forecast due date if this is expected to be different. An 

1.3 Overall assessment accompanying explanation is provided for any re-forecast due dates; 

We have made an overall assessment of our findings as: e Implemented recommendations are recorded separately from ongoing 


recommendations to allow the Audit Committee to clearly focus on 


Overall assessment : ; . . . 
those which remain unactioned, but implemented recommendations 


We have identified matters which, if resolved, will help management fulfil do remain on the Register until the end of the financial year to which 
their responsibility to maintain a robust system of internal control. they relate: 
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e A performance update is provided with the outstanding 
recommendations log to each Audit Committee meeting, giving 
oversight of the number of overdue recommendations; 

e We verified that all recommendations raised during 2013-14 had been 
included on the log of outstanding recommendations and cleared as 
appropriate; 

e We followed up on all seven recommendations recorded as being 
cleared on the March 2014 log reported to the Audit Committee. We 
confirmed that each had been appropriately addressed as reported. 


1.6 Acknowledgement 


We would like to take this opportunity to thank the staff involved in for 
their co-operation during this internal audit. 
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a | low | Supporting evidence for IT recommendation 


Finding and Implication 


Proposed action 


Agreed action (Date / Ownership) 


The Senior Corporate Governance Manager is not always able 
to obtain evidence from recommendation owners to support 
those actions taken to address audit findings. This can delay 
follow up reviews as reliance is sometimes placed upon the 


recommendation owner to demonstrate that the 


recommendation has been cleared (or if not to provide an 
update). This recommendation will assist in any audit follow 


up process. 


Where appropriate, the Senior Corporate 
Governance Manager should obtain 
supporting evidence from recommendation 
owners that supports and confirms that 


recommendations have been implemented. 


Agreed action: 


Where possible specific evidence that an action 
has been cleared will be saved on the electronic 
records management system to allow the 
clearance of the action to be confirmed at a later 
date. 


Where specific evidence is not available a 
written note will be saved confirming the reasons 
for the decision to clear the action. 


Date Effective: 
Immediately. 
Owner: 


Peter Bloomfield, Senior Corporate Governance 
Manager 
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A Internal audit approach 


Approach 

Our audit was carried out in accordance with the guidance contained 
within the Government’s Internal Audit Standards and the Auditing 
Practices Board’s ‘Guidance for Internal Auditors’. We also had regard to 
the Institute of Internal Auditors’ guidance on risk based internal auditing 
(2005). 


Our internal audit approach is based upon the underlying principles of the 
UK Corporate Governance Code (2010) together with the associated 
Turnbull Committee guidelines on internal control (2005) that require 
management to identify, assess and manage the risks that are significant to 
the achievement of the organisation’s overall business objectives. We will 
also have regard to the HM Treasury Management of Risk Guidance 
(2001). Our role as internal auditor is to provide objective and independent 
assurance to the Audit Committee and management that it is doing so 
successfully for each of the areas being audited. 


As part of our 2013-14 Audit Plan, we agreed with the Audit Committee 
and management that we should carry out a review of the [CO's 
arrangements for managing its follow up of audit recommendations to 
further inform our ongoing understanding of the ICO’s key internal 
control activities. 


The findings and conclusions from this review will support our annual 
opinion to the Audit Committee on the adequacy and effectiveness of 
internal control arrangements. 
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Scope 
Our review focused on the following risk: 


e The ICO's arrangements for following up audit recommendations may 
not be adequate resulting in recommendations not being completed on 
time and to a satisfactory standard, with the ICO remaining exposed to 
risks that are deemed to be unacceptable resulting in a lack of comfort 
for the Audit Committee and senior management that the internal 
control framework is operating effectively. 


Additional information 
Client staff 
The following staff were consulted as part of this review: 


e Peter Bloomfield — Senior Corporate Governance Manager 
e Dave Wells — Head of IS 


Documents received 
The following documents were received during the course of this audit: 


e Audit Committee minutes and accompanying reports on outstanding 
audit recommendations 

e Evidence to support the sample of recommendations reported to the 
Audit Committee as implemented 

e Progress of audit findings provided by Senior Corporate Governance 
Manager 
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B Definition of internal audit opinion and ratings 


Audit issue rating 
Within each report, every audit issue is given a rating. The ratings are summarised in the table below. 


Rating Description Features 


Key control not designed or operating effectively 
Potential for fraud identified 

Non compliance with key procedures / standards 
Non compliance with regulation 


Findings that are fundamental to the management of 
risk in the business area, representing a weakness 
in control that requires the immediate attention of 
management 


Impact is contained within the department and compensating controls would detect errors 
Possibility for fraud exists 

Control failures identified but not in key controls 

Non compliance with procedures / standards (but not resulting in key control failure) 


Important findings that are to be resolved by line 
management. 


Minor control weakness 
Minor non compliance with procedures / standards 


Findings that identify non-compliance with 
established procedures. 


Information for department management 
Control operating but not necessarily in accordance with best practice 


Items requiring no action but which may be of 
interest to management or best practice advice 
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